ClawHub

x-twitter-browser

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for X/Twitter automation, but it needs review because it stores reusable login cookies and can perform live account actions with limited built-in safeguards.

Install only if you intentionally want an agent to control your live X/Twitter account through a saved browser session. Confirm the exact text, target tweet, and action before every write; protect or delete ~/.openclaw/auth/x-twitter/cookies.json when finished; and understand that the automation may conflict with platform expectations around automated activity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares only an allowed Bash tool, but the documented behavior clearly relies on reading user auth state and files such as persistent cookie storage under ~/.openclaw/auth/x-twitter/cookies.json. This mismatch weakens least-privilege enforcement and can cause users or the platform to underestimate the skill's ability to access local state, including reusable authentication material.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description does not prominently warn that the user will enter X credentials and possibly 2FA into a browser automation flow and that long-lived session cookies are then saved for reuse. Because those cookies can often act as bearer tokens for the account, insufficient disclosure increases the risk of users consenting without understanding the persistence and sensitivity of the stored authentication state.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This script performs an irreversible external action by posting to X immediately after session verification, with no user-facing confirmation, dry-run mode, or secondary approval step. In an agent/automation context, that makes accidental, coerced, or prompt-injected posting significantly more likely, especially because the skill is explicitly designed to act on a real authenticated account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script performs a real reply/posting action immediately after session verification, with no explicit user confirmation, dry-run mode, or pre-action warning before clicking the post button. In an agent skill context, that makes unintended public actions materially more likely if the tweet ID or reply text is wrong, manipulated, or triggered automatically by another workflow.

Session Persistence

Medium
Category
Rogue Agent
Content
## Operational requirements

- Before the first action, check if session exists; if not, run the two-phase login flow (see "Session management" above)
- Run `--verify-only` before any write operation
- Confirm the action and content before executing
- Do not commit cookies to the repo (`~/.openclaw/auth/`)
- Call `scripts/*.py` directly
Confidence
84% confidence
Finding
write operation - Confirm the action and content before executing - Do not commit cookies to the repo (`~/.openclaw/auth/`) - Call `scripts/*.py` directly ## Troubleshooting ### `No saved session. R

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal